Risk Assessment of Computer Network Security in Banks

Transcription

1 , pp Risk Assessment of Computer Network Security in Banks Tan Juan Weifang University of Science and Technology, Shandong, Shouguang, Abstract The importance of computer system security of banks can never be exaggerated. Conducting risk assessment of computer system security of banks can increase safety management and ensure normal operation. This paper firstly figures out risk assessment indexes for computer system security of banks through literature review and survey. Secondly, it uses AHP to confirm the weight of indicators and establishes five security levels. According to the judgment of experts, it finally establishes the risk assessment model for computer system security of banks. Keywords: computer; AHP; weight; risk assessment; fuzzy evaluation 1. Introduction Banks are an integral part of state-owned enterprises. With the development of computer network and the expansion of trading channel of banks, online services become more and more open and banks have experienced continuous upgrading. The computer network is placed a priority in banks. However, the computer network is easy to be attacked by viruses and Hackers. A damaged network will cause dire consequences and hit the bank greatly. Therefore, risk assessment of computer system security of banks can detect loop-holes in advance and warn the bank to increase the security level of computer network, ensuring that the bank is operated in a normal state. In response to the facts that the computer network of banks has multiple trading channels, the system is quite open and system data can be concentrated, banks and the government have followed closely network security. This paper intends to assess the computer system security of banks, makes reasonable warning of the security and establishes an appraisal model of computer system security of banks. In recent years, security loopholes loom large. For example, deposit is missing for no reasons and bank credit card becomes invalid. All these worry people a lot. Many banks recruited professionals to assess the computer network security in order to avoid unnecessary losses. Thus, it is important to conduct risk assessment of computer system security of banks, as it can increase the security level of banks, guarantees normal operation maintains bank s reputation and promotes a normal and stable life. Computer system security of banks has been studied many times. There are research results relevant to this topic on National Knowledge Infrastructure and relevant to risk assessment of computer system security of banks. 2. Evaluation Indicator System for Computer System Security of Banks Based on the questionnaires to Rural Commercial Bank, Agricultural Bank of China and China Construction Bank and relevant literature review, and according to the operation of computer network of banks (TCP/IP Internet model is adopted), there are four layers of evaluation indexes for the computer system security of banks, namely the ISSN: IJSIA Copyright c 2016 SERSC

2 physical layer, the network layer, the data layer and the layer. Each layer contains several second level evaluation indexes, as shown in Table 1. Table 1. Risk Assessment System for Computer System Security of Bank P first level evaluation index physical layerp 1 network layerp 2 data layerp 3 second level evaluation index computer hardware P 11 ; computer network facilitiesp 12 ;wiring system P 13 ;bank staff P 14 ; firewall P 21 ; vulnerability detection P 22 ; alarm system P 23 ; safety system P 24 ; certificate validation P 25 ; data detection P 31 ; data transmission P 32 ; data backup P 33 ; identity recognition P 34 ; log auditing P 35 ; layerp 4 response P 41 ; measurep 42 ; recovery P 43 ; 3. Index Weight of Computer System Security of Banks AHP is used to confirm the index weight of computer system security of banks. Firstly, the layer structure of computer system security of banks is established to do the assessment, as shown in Figure.1. Figure 1. Evaluation System Structure for Computer System Security of Banks Secondly, the 1-9 scale is used to construct the comparative judgment of all indexes. The comparative judgment is established by comparing the influence of indexes of the sub-layer on that of the dominant-layer. The influence is confirmed according to experts judgment. 2 Copyright c 2016 SERSC

3 Scale a ij Table Value of Scale Mark Comparison results between index I and index j 1 same influence of index i and index j 3 the influence of index i is a bit stronger than index j 5 the influence of index i is stronger than index j 7 the influence of index i is much stronger than index j 9 the influence of index i is absolutely stronger than index j 2,4,6,8 1 1,, 2 9 The comparative influence of index i and index j lies in between 1,3,5 and 9 The comparative influence of index i and index j is the interval number of a ij Thirdly, use the geometric method to calculate the weight of indexes (1) Compute the product of elements in each line in the comparative judgment and get vector ; (2) (2)Subject vector to extraction and get vector ; (3) Normalize vector and get the corresponding weight vector. Finally, subject the comparative judgment to consistency test with the following two steps. ar n ij j max n 1 j1 CI max (1) Compute the consistency index n 1 n i1 ri, where. CI CR (2) Compute the consistency radio RI, where RI refers to random consistency index. Its value is shown in Table 3. Table 3. Random Consistency Indexes n n RI Neutrally, when 0.10 CR, subject the comparative judgment to consistency test. Use AHP to calculate the index weight of computer system security of banks: Copyright c 2016 SERSC 3

4 Table 4. Comparison Matrix and Test Results of the First Level Evaluation Indexes Relative to the Target Layer Target layer computer system security of banks P maximum consistency first level evaluation index physical network data weight eigenvalue ratio layerp 1 layerp 2 layerp 3 layerp 4 physical layer P 1 1 1/6 1/ network layer P data layer P 3 3 1/ layer P 4 1/5 1/9 1/ Table 5. Comparison Matrix and Test Results of the Second Level Evaluation Indexes Relative to the First Level Evaluation Indexes first level evaluation index physical layerp 1 computer computer wiring bank maximum consistency second level evaluation index hardware network system staff weight eigenvalue ratio P 11 facilitiesp 12 P 13 P 14 computer hardware P /5 1/3 1/ computer network facilitiesp wiring system P /3 1 1/ bank staff P / Table 6. Comparison Matrix and Test Results of the Second Level Evaluation Index Relative to the Network Layer Indexes P2 first level evaluation index network layerp 2 second level evaluation index firewall P 21 alarm vulnerability system detection P 22 P 23 safety maximum certificate system weight eigenvalue validation P 24 firewall P / vulnerability detection P 22 1/5 1 1/3 1/8 1/ alarm system P 23 1/ /7 1/ safety system P certificate validation P 25 1/ / Table 7. Comparison Matrix and Test Results of the Second Level Evaluation Index Relative to the First Level Data Layer Indexes P3 P 25 consistency ratio first level evaluation index data layerp 3 data data data identity log maximum consistency second level evaluation index detection transmission backup recognition auditing weight eigenvalue ratio P 31 P 32 data detection P data transmission P 32 1/ /3 1/ data backup P 33 1/9 1/5 1 1/6 1/ identity recognition P 34 1/ log auditing P 35 1/ / P 33 P 34 P Copyright c 2016 SERSC

5 Table 8. Comparison Matrix and Test Results of the Second Level Evaluation Index Relative to the First Level Emergency Layer Indexes P4 first level evaluation index layerp 4 second level evaluation index response P 41 measurep 42 recovery response P /6 1/ measurep recovery P / P 43 maximum weight eigenvalue consistency ratio As CR is smaller than 0.10, P, P1, P2, P3, P4all pass the consistency test. The index weight of computer system security of banks is concluded as in Table 9. Table 9. The Index Weight of Computer System Security of Banks first level evaluation index weight second level evaluation index weight computer hardware P 11 ; physical layerp computer network facilitiesp 12 ; wiring system P 13 ; bank staff P 14 ; firewall P 21 ; vulnerability detection P 22 ; network layerp alarm system P 23 ; safety system P 24 ; certificate validation P 25 ; data detection P 31 ; data transmission P 32 ; data layerp data backup P 33 ; identity recognition P 34 ; log auditing P 35 ; response P 41 ; layerp measurep 42 ; recovery P 43 ; Risk Assessment Model for Computer System Security of Banks Risks of computer system security of banks are categorized into five levels: very safe, relatively safe, neutral, relatively dangerous and very dangerous. Establish risk assessment model for computer system security of banks. Establishing the risk assessment set The risk assessment set is shown in Table 10. Table 10. Risk Assessment Set for Computer System Security of Banks second level evaluation index computer hardware P 11 ; Security level Copyright c 2016 SERSC 5

6 computer network facilitiesp 12 ; wiring system P 13 ; bank staff P 14 ; firewall P 21 ; vulnerability detection P 22 ; alarm system P 23 ; safety system P 24 ; certificate validation P 25 ; data detection P 31 ; data transmission P 32 ; data backup P 33 ; identity recognition P 34 ; log auditing P 35 ; response P 41 ; measurep 42 ; recovery P 43 ; (2) Confirm the fuzzy evaluation judgment Expert judgment method is employed to confirm the judgment matrix. Suppose the judgment result of the i-thsecond level evaluation index in the first level evaluation (1) (1) (1) (1) (1) indexp1is ri 1 ri 2 ri 3 ri 4 r i5, where i 1,2,3,. 4 The fuzzy evaluation judgment of second level evaluation index is: 6 Copyright c 2016 SERSC

7 R r r r r r (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) r21 r22 r23 r24 r25 1 (1) (1) (1) (1) (1) r31 r32 r33 r34 r35 (1) (1) (1) (1) (1) r41 r42 r43 r44 r45 Where r ij the number of experts who rate j-class/ total number of experts. Similarly: r r r r r (2) (2) (2) (2) (2) (2) (2) (2) (2) (2) r21 r22 r23 r24 r25 (2) (2) (2) (2) (2) (2) (2) (2) (2) (2) r41 r42 r43 r44 r45 (2) (2) (2) (2) (2) r51 r52 r53 r54 r55 R r r r r r r r r r r r r r r r R r r r r r r r r r r r r r r r R (3) (3) (3) (3) (3) (3) (3) (3) (3) (3) (3) (3) (3) (3) (3) (3) (3) (3) (3) (3) (3) (3) (3) (3) (3) r r r r r r r r r r r r r r r (4) (4) (4) (4) (4) (4) (4) (4) (4) (4) (4) (4) (4) (4) (4) According to the weight of second level evaluation index, compute the fuzzy evaluation judgment of the first level evaluation index: R r T 1 R T T T 1 r2 R2 r3 R3 r4 R 4, Then, according to the weight of the first level evaluation index, compute the risk assessment vector of the computer system security of banks: T w r R According to the maximum principle, the highest risk is the class in which the computer network is categorized. 5. Model Application-Risk Assessment of a Certain Computer System Security of Banks A state-owned bank was subject to risk assessment. A team of 20 experts was asked to score 17 second level evaluation indexes of the computer system security. The judgment results are shown in Table 11.,,, Table 11. Expert Assessment of a Computer System Security of a Domestic Bank second level evaluation index. Assessment result computer hardware P 11 ; computer network facilitiesp 12 ; wiring system P 13 ; Copyright c 2016 SERSC 7

8 bank staff P 14 ; firewall P 21 ; vulnerability detection P 22 ; alarm system P 23 ; safety system P 24 ; certificate validation P 25 ; data detection P 31 ; data transmission P 32 ; data backup P 33 ; identity recognition P 34 ; log auditing P 35 ; response P 41 ; measurep 42 ; recovery P 43 ; Subject the results to data processing, as shown in Table 12. Table 12. Assessment Results after Data Processing second level evaluation index Assessment results after data processing computer hardware P 11 ; computer network facilitiesp 12 ; wiring system P 13 ; bank staff P 14 ; firewall P 21 ; vulnerability detection P 22 ; alarm system P 23 ; safety system P 24 ; certificate validation P 25 ; data detection P 31 ; data transmission P 32 ; data backup P 33 ; identity recognition P 34 ; log auditing P 35 ; response P 41 ; Copyright c 2016 SERSC

9 measurep 42 ; recovery P 43 ; Use MATLB (in the Appendix) to compute the judgment vector of risk assessment of the computer system security of banks: w According to the maximum principle, it is found that the computer system security of banks is very safe. Conclusion In response to the media report of loops holes in bank s system and to the credit crisis of banks, banks should enhance security management of its computer system and increase the safety level. Priority should be given to risk assessment of computer system security, so as to ensure a normal operation of bank s business. Appendix: MATLB program a=load ('yhjsjwlaq.txt'); w= [ ]; w1= [0.0736, , , ]; w2= [0.1815, , , , ]; w3= [0.4901, , , , ]; w4= [0.0915, , ]; b (1,:)=w1*a([1:4],:); b (2,:)=w2*a([5:9],:); b (3,:)=w3*a([10:14],:); b (4,:)=w4*a([15:end],:); c=w*b c = References [1] M. Ali Aydın, A. Halim Zaim, K. Gökhan Ceylan. A hybrid intrusion detection system design for computer network security [J]. Computers and Electrical Engineering, vol.35, no. 3, (2009), pp [2] J M. Estévez-Tapiador, ı -Teodoro,. ı z-verdejo. NSDF: a computer network system description framework and its application to network security [J]. Computer Networks, vol.43, no. 5, (2003), pp [3] S Zhang. A model for evaluating computer network security systems with 2-tuple linguistic information [J]. Computers and Mathematics with Applications, vol.62, no. 4, (2011), pp [4] R Lübben, M Fidler, J Liebeherr, Stochastic bandwidth estimation in networks with random service [J], IEEE/ACM Transactions on Networking (TON), vol.22, no. 2, (2014), pp [5] T J. Rothwell. Job applications and network security, or, how to not limit the online applicant pool [J]. Ubiquity, (2003) (April), pp.2-2. Copyright c 2016 SERSC 9

10 [6] G B. White, E A. Fisch, U W. Pooch. Computer System and Network Security. EDPACS, vol.25, no. 8, (1998). [7] G Gercek, N Saleem, Securing Small Business Computer Networks: An Examination of Primary Security Threats and Their Solutions, Information Security Journal: A Global Perspective, vol.14, no. 3, (2005). [8] Y-K Lin, C-L Pan. Considering retransmission mechanism and latency for network reliability evaluation in a stochastic computer network [J]. Journal of Industrial and Production Engineering, vol.31, no. 6, (2014), pp [9] L T o, Application of Fuzzy Mathematics in the Evaluation of Customer Satisfaction in Supermarket [ ], Journal of Capital Normal University, no. 3, (2015), pp [10] L Tao, Fuzzy Mathematics Evaluation based on University Network Risks [J]. Journal of Huaiyin Teachers College (Natural Science Edition), no. 2, (2015), pp [11] W ie, Analysis of Computer Network Security [J]. Guangxi Journal of Light Industry, no. 2, (2011), pp [12] X Zhe, On the Existing Problems and Countermeasures of the University Network Security [D]. (2012). [13] L Bingqi, The Factors Inlfuencing the Computer Network Security and Countermeasures [J]. Computer Engineering & Software, no. 3, (2014), pp [14] H Zhonggeng. Mathematical Modeling Methods and Application [M]. Beijing: Higher Education Press,( 2005). [15] S Jingwei, W Xinyi. Application of Comprehensive Evaluation for the Quality of the Physical and Chemical Laboratory by Fuzzy Mathematics [J]. Shanghai Journal of Preventive Medicine, vol. 6, no. 14, (2002), pp [16] Z Lijuan, W Qingxi n, Application of Fuzzy Analytic Hierarchy Process Model in Network Security Situation Assessment [J]. Computer Simulation, no. 12, (2011), pp [17] L T o, The Environment Impact Evaluation based on Urban Land Planning Project[J]. International Journal of Earth Sciences and Engineering, no. 2, (2015). 10 Copyright c 2016 SERSC